Problems with 1.2.3 and interfaces.

sagitari

Hello,

I installed 1.2.3 from the livecd to a usb stick without any problems. I selected the default install and rebooted into pfs without any problems. The problem I have is accessing the webconfigurator. I have a cable business account with 8 static IPs but to configure pfs I need to access the gui first.

Here is what I have done:

1. Installed pfs into usb stick (default installation)
2. Assigned my asus m2n32-sli vista edition mobo's two nics to LAN and WAN fwe0 and fwip0 (pfs option 1)
3. Changed the LAN setup to 192.168.0.1/24 and no DHCP server (pfs option 2)
4. Try to access the gui from any another computer in the LAN resulted in failure.

My setup is as follow pfs LAN and client computer connected to cisco 2950 switch. pfs WAN directly connected to cable modem where I can get all the 8 static IPs (sort of bridged configuration). Also tried connecting the client directly to the pfs box with a straight and crossover cable no luck.

Now if I go to pfs shell (pfs option 8) and ping my local interfaces (12.0.0.1 and 192.168.0.1) i get the echo back if I ping other computers on the LAN side (echo enabled) I don't get any echoes back.

netstat -r show (ip4)
Dest            Gateway  flags    refs  use  neif  expire
67.79.x.x    link#2      UC      0    0      fwip0
localhost      localhost  UH      0    2065  lo0
192.168.0.0  link#1      UC      0      0      fwe0

I've tried with another asus m4a77d and an additional 3com nic same problem.

Any ideas?

Thanks

wallabybob

What is the IP address, network mask and default gateway of the computers on the LAN?

If these aren't set correctly the LAN computers won't be able to access pfSense. Given how you have configured pf Sense your LAN computers should have an IP address of the form 192.168.0.x (x between 2 and 254), network mask of 255.255.255.255 and default gateway of 192.168.0.1.

I find it easier to have all my LAN computers use DHCP to get an IP address because the other two parameters get set correctly automatically.

sagitari

@wallabybob:

What is the IP address, network mask and default gateway of the computers on the LAN?

If these aren't set correctly the LAN computers won't be able to access pfSense. Given how you have configured pf Sense your LAN computers should have an IP address of the form 192.168.0.x (x between 2 and 254), network mask of 255.255.255.255 and default gateway of 192.168.0.1.

I find it easier to have all my LAN computers use DHCP to get an IP address because the other two parameters get set correctly automatically

Thanks for the fast reply,

To troubleshoot this I isolated the pfs box and only one client (mac mini) connected to a cheap netgear switch.

So here is the setup:
1. pfs box 192.168.0.1/24 and now with DHCP enabled.
2a. MacMini with DHCP enabled was unable to get the address from the pfs box. Defaults to internal IP
2b. McMini with static IP assignment 192.168.0.23/24 gateway 192.168.0.1. Unable to access pfs GUI

Tried to ping pfs box and use tcpdump fwe0 and no packets reach the pfs box. Interfaces on pfs box are up (lights are on).

I'm at a loss here.

UPDATE
Turns out that the netgear is not a switch but a hub so I connected a computer running wireshark to trace the packets and it seems that the pfsense box is completeley mute. There is absolutely no activity on the pfsense box interfaces, no DHCP traffic, no ARP traffic no nothing. I can see the MacMini requesting the DHCP address and ARP but the pfsense box continues to be silent.

I wonder if this is a nic conflict with pfsense or a configuration issue?

wallabybob

Maybe your hardware is broken in some way. Please provide the output of the shell commands:

# ifconfig -a
# netstat -i
# vmstat -i

to verify the interface has gone into half duplex to match the hub, to see if any traffic (including errored frames) has been seen on the interface and see if the CPU has acknowledged any interrupt requests from the NICs.

Do you have another NIC you could try as LAN? If not, do you see anything different if you swap the roles of LAN and WAN? (Option 1 from pfSense console.)

Is the hub 100bps capable?

sagitari

@wallabybob:

Maybe your hardware is broken in some way. Please provide the output of the shell commands:

# ifconfig -a
# netstat -i
# vmstat -i

to verify the interface has gone into half duplex to match the hub, to see if any traffic (including errored frames) has been seen on the interface and see if the CPU has acknowledged any interrupt requests from the NICs.

Do you have another NIC you could try as LAN? If not, do you see anything different if you swap the roles of LAN and WAN? (Option 1 from pfSense console.)

Is the hub 100bps capable?

Yes, something is not compatible between the ASUS M2N32-SLI vista edition and PFSense. Too bad because I had this mobo laying around waiting for a good project and with dual gigabit ethernet ports pfsense was the ideal solution.

I tried PFSense with a different mobo (ASUS A7N8X-E) with one gigabit and one 10/100 ethernet ports, with this mobo pfsense works great.

Hub is a netgear DS108 10/100. Tomorrow I'll try a 3com and see if it works, in the mean time here is the info. I'd really like to get this mobo runing with PFsense since it has two gigabit lan ports.

ifconfig output

fwe0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=8 <vlan_mtu>ether 02:11:d8:39:8e:83
inet6 fe80::11:d8ff:fe39:8e83%fwe0 prefixlen 64 scopeid 0x1
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
ch 1 dma 0
fwip0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
lladdr 0.11.d8.0.1.39.8e.83.a.2.ff.fe.0.0.0.0
inet6 fe80::211:d800:139:8e83%fwip0 prefixlen 64 scopeid 0x2
inet 0.0.0.0 netmask 0xff000000 broadcast 255.255.255.255
nfe0: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
options=19b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4>ether 00:1a:92:d3:e9:d3
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nfe1: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
options=19b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4>ether 00:1a:92:d3:f3:63
media: Ethernet autoselect (none)
status: no carrier
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
enc0: flags=0<> metric 0 mtu 1536
pfsync0: flags=41 <up,running>metric 0 mtu 1460
pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128
pflog0: flags=100 <promisc>metric 0 mtu 33204</promisc></up,running></up,loopback,running,multicast></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4></broadcast,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4></broadcast,simplex,multicast></up,broadcast,running,simplex,multicast></vlan_mtu></up,broadcast,running,promisc,simplex,multicast>

netstat output

Name    Mtu Network       Address              Ipkts Ierrs    Opkts Oerrs  Coll
fwe0   1500 <link#1>02:11:d8:39:8e:83        0     0        6     0     0
fwe0   1500 fe80:1::11:d8 fe80:1::11:d8ff:f        0     -        1     -     -
fwe0   1500 192.168.1.0   pfSense                  0     -        0     -     -
fwip0  1500 <link#2>00:11:d8:00:01:39:8e:83:0a:02:ff:fe:00:00:00:00        0     0        2     0     0
fwip0  1500 fe80:2::211:d fe80:2::211:d800:        0     -        1     -     -
fwip0  1500 0.0.0.0       0.0.0.0                  0     -        0     -     -
nfe0*  1500 <link#3>00:1a:92:d3:e9:d3        0     0        0     0     0
nfe1*  1500 <link#4>00:1a:92:d3:f3:63        0     0        0     0     0
lo0   16384 <link#5>1090     0     1090     0     0
lo0   16384 your-net      localhost             1090     -     1090     -     -
lo0   16384 ::1           ::1                      0     -        0     -     -
lo0   16384 fe80:5::1     fe80:5::1                0     -        0     -     -
enc0*  1536 <link#6>0     0        0     0     0
pfsyn  1460 <link#7>0     0        0     0     0
pflog 33204 <link#8>0     0        0     0     0</link#8></link#7></link#6></link#5></link#4></link#3></link#2></link#1> 

vmstat output

interrupt                          total       rate
irq1: atkbd0                        1168          1
irq6: fdc0                            56          0
irq14: ata0                           69          0
irq16: fwohci0+                       11          0
irq21: ohci0+                        305          0
irq22: ehci0                       11015         11
cpu0: timer                      1970124       1998
cpu1: timer                      1953770       1981
Total                            3936518       3992

wallabybob

Ah, now I see the problem. You have configured interfaces fwe0 and fwip0. fwe is for ethernet emulation over firewire and fwip is for IP over firewire. I guess your motherboard has a firewire controller.

From everything you have said about your configuration you should be attempting to use the "real" ethernet interfaces nfe0 and nfe1 rather than fwe0 and fwip0

It looks as if something recognisable as ethernet is plugged into nfe0 (status active) but not nfe1.

sagitari

@wallabybob:

Ah, now I see the problem. You have configured interfaces fwe0 and fwip0. fwe is for ethernet emulation over firewire and fwip is for IP over firewire. I guess your motherboard has a firewire controller.

From everything you have said about your configuration you should be attempting to use the "real" ethernet interfaces nfe0 and nfe1 rather than fwe0 and fwip0

It looks as if something recognisable as ethernet is plugged into nfe0 (status active) but not nfe1.

I did wonder why I had those interfaces. I'll try to use the real interfaces after lunch and I'll post the results.

UPDATE
Ok, I reassigned the interfaces (pfs option 1) but now instead of auto-detecting the interfaces I forced the LAN to use nfe0 and the WAN to use nfe1. That did the trick.

Everything seems to be working as expected.

Thanks!

wallabybob

Thanks for reporting back. Bit of a trap that auto-detect and the firewire interfaces.